Biggest data breach penalties for 2018

Hacks and data thefts, enabled by weak security, cover-ups or avoidable mistakes, have cost these eight companies a total of nearly $280 million and counting.

2018 has already seen companies hit with sizable fines and settlements due to data breaches. Uber’s poor handling of its 2016 breach has cost it close to $150 million. Weakly protected and heavy-regulated health data has cost medical facilities big, resulting in the US Department of Health and Human Services collecting increasingly large fines.

There could be even bigger fines in the horizon now that the European Union’s General Data Protection Regulation (GDPR) has come into force. Data regulators in the EU are able to fine upwards of €20 million. A number of high profile companies have already suffered large-scale breaches since the new regulations came into force, meaning 2019 could well see the cost of failure skyrocket.

Uber: $148 million

In 2016 ride-hailing app Uber had 600,000 driver and 57 million user accounts were breached. Instead of reporting the incident the company paid the perpetrator $100,000 to keep the hack under wraps. Those actions, however, cost the company dearly. The company was fined $148 million -- the biggest data-breach payout in history – for violation of state data breach notification laws.

Yahoo: $85 million

In 2013 Yahoo suffered a massive security breach that affected its entire database, about 3 billion accounts -- almost the entire population of the web. The company, however, didn’t disclose this information for three years.

In April, the US Securities and Exchange Commission (SEC) fined the company $35 million for failing to disclose the breach. In September, Yahoo’s new owner Altaba admitted that it had settled a class action lawsuit resulting from the breach to the tune of $50 million.

A total bill of $85 million for a three billion accounts works out at around $36 per record. Considering that the average cost per record of a data breach is around $148 and IBM has put the cost of multi-million record megabreaches at hundreds of millions of dollars, the company may have gotten off lightly.

Tesco Bank: $21 million

Tesco Bank, the retail banking arm of the UK supermarket chain, was hit with a £16.4million ($21.2 million) fine by the UK’s Financial Conduct Authority (FCA) after just under $3 million was stolen from 9,000 customer accounts in 2016. The FCA accused Tesco’s of “deficiencies” in the design of its debit card, financial crime controls and in its Financial Crime Operations Team.

Anthem: $16 million

US health insurer Anthem suffered a breach in 2015 that impacted 79 million people. The breach included names, birthdates, Social Security numbers, and medical IDs. In October the company was fined $16 million by the US Department of Health and Human Services for Health Insurance Portability and Accountability Act (HIPAA) violations. That fine was in addition to the $115 million the company had to pay out in 2017 to settle a class action lawsuit relating to the breach.

The University of Texas MD Anderson Cancer Center: $4.3 million

In June a judge upheld the decision to fine the University of Texas MD Anderson Cancer Center $4.3 million for HIPAA violations. The cancer center suffered three data breaches between 2012 and 2013: one case of theft of an unencrypted laptop from an employee’s residence, and two unencrypted USB being lost. The health information of over 33,500 individuals was lost.

Fresenius Medical Care North America: $3.5 million

HIPAA failures strike again. In February Fresenius Medical Care North America (FMCNA) was slapped with a bill for $3.5 million after suffering five separate breaches at different company locations between February and July of 2012. An investigation by the Office for Civil Rights found FMCNA had failed to “conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of the health information it was storing across its different entities.”

These failures include not preventing unauthorized access to facilities and equipment, failing to encrypt health data, not governing the removal of electronic media holding health data, and having a lack of security incident procedures.

Equifax and Facebook: $650,000

Equifax and Facebook can count themselves lucky. The UK Information Commissioner’s Office fined the two companies for data failures under the pre-GDPR Data Protection Act, in which the highest possible fine is just £500,000 (~$650,000). Under GDPR, the penalties could have been much higher. Facebook was slapped with the bill in October over the Cambridge Analytica data scandal, while Equifax was handed the maximum penalty in September for the 2017 breach which saw the company leak data on 147 million customers.

Possible upcoming penalties

British Airways is facing a £500 million ($650 million) lawsuit after the payment card details of 380,000 customers were skimmed from its website and app.

UK supermarket chain Morrisons is facing a large payout to its employees after payroll information of 100,000 company workers was leaked online by a disgruntled IT auditor in 2014. In October the company lost an appeal against a class action lawsuit of more than 5,000 staff but plans to take its appeal to the Supreme Court. The case is the first UK’s first data leak group action, and could set a precedent over company liability over employee actions.

Now that GDPR has come into force, companies suffering data breaches are facing potentially massive financial repercussions. Facebook’s recent “View As” flaw, the UK Conservative Party’s poorly secured conference app, Google’s recent shut down of its Plus social network, and Dixons Carphone’s leak of 5.9 million customer records could all be subject to penalties. In September Canadian analytics firm AggregateIQ (AIQ) became the first company to be issued a GDPR notice, possibly paving the way for a fine in the future.